[wp-trac] Re: [WordPress Trac] #2425: Pseudo-Cron

WordPress Trac wp-trac at lists.automattic.com
Wed Mar 8 01:03:40 GMT 2006


#2425: Pseudo-Cron
----------------------------+-----------------------------------------------
       Id:  2425            |      Status:  new                     
Component:  Administration  |    Modified:  Wed Mar  8 01:03:40 2006
 Severity:  normal          |   Milestone:  2.1                     
 Priority:  normal          |     Version:  2.0.1                   
    Owner:  ryan            |    Reporter:  ryan                    
----------------------------+-----------------------------------------------
Comment (by masquerade):

 With the NST about, this may show up as a vulnerability, I can see it now:

 ========== WordPress 2.1 Remote Cron Exectuion ==========
 Severity: CRITICAL!!!!1

 WordPress 2.1 allow any users to run wp-cron.php which may run scheduled
 cron jobs on remote server.
 this vuln has a few problems though
 [1] The cron jobs have to be scheduled by an admin user
    If you are an admin user, you can enable cron jobs that could
 potentially damage your install or users!!

 == Solution ==
 wordpress/ $ rm wp-cron.php

-- 
Ticket URL: <http://trac.wordpress.org/ticket/2425>
WordPress Trac <http://wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list